From: jsing Date: Tue, 26 Mar 2024 04:14:45 +0000 (+0000) Subject: Move bn_montgomery_reduce() and drop prototype. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=3f50f65c340654300811b3e14aee47b8422d357c;p=openbsd Move bn_montgomery_reduce() and drop prototype. No functional change. --- diff --git a/lib/libcrypto/bn/bn_mont.c b/lib/libcrypto/bn/bn_mont.c index 12fea44c5af..7fdbfbd54d7 100644 --- a/lib/libcrypto/bn/bn_mont.c +++ b/lib/libcrypto/bn/bn_mont.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_mont.c,v 1.61 2023/07/08 12:21:58 beck Exp $ */ +/* $OpenBSD: bn_mont.c,v 1.62 2024/03/26 04:14:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -299,7 +299,76 @@ BN_MONT_CTX_set_locked(BN_MONT_CTX **pmctx, int lock, const BIGNUM *mod, } LCRYPTO_ALIAS(BN_MONT_CTX_set_locked); -static int bn_montgomery_reduce(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mctx); +/* + * bn_montgomery_reduce() performs Montgomery reduction, reducing the input + * from its Montgomery form aR to a, returning the result in r. Note that the + * input is mutated in the process of performing the reduction, destroying its + * original value. + */ +static int +bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx) +{ + BIGNUM *n; + BN_ULONG *ap, *rp, n0, v, carry, mask; + int i, max, n_len; + + n = &mctx->N; + n_len = mctx->N.top; + + if (n_len == 0) { + BN_zero(r); + return 1; + } + + if (!bn_wexpand(r, n_len)) + return 0; + + /* + * Expand a to twice the length of the modulus, zero if necessary. + * XXX - make this a requirement of the caller. + */ + if ((max = 2 * n_len) < n_len) + return 0; + if (!bn_wexpand(a, max)) + return 0; + for (i = a->top; i < max; i++) + a->d[i] = 0; + + carry = 0; + n0 = mctx->n0[0]; + + /* Add multiples of the modulus, so that it becomes divisible by R. */ + for (i = 0; i < n_len; i++) { + v = bn_mul_add_words(&a->d[i], n->d, n_len, a->d[i] * n0); + bn_addw_addw(v, a->d[i + n_len], carry, &carry, + &a->d[i + n_len]); + } + + /* Divide by R (this is the equivalent of right shifting by n_len). */ + ap = &a->d[n_len]; + + /* + * The output is now in the range of [0, 2N). Attempt to reduce once by + * subtracting the modulus. If the reduction was necessary then the + * result is already in r, otherwise copy the value prior to reduction + * from the top half of a. + */ + mask = carry - bn_sub_words(r->d, ap, n->d, n_len); + + rp = r->d; + for (i = 0; i < n_len; i++) { + *rp = (*rp & ~mask) | (*ap & mask); + rp++; + ap++; + } + r->top = n_len; + + bn_correct_top(r); + + BN_set_negative(r, a->neg ^ n->neg); + + return 1; +} static int bn_mod_mul_montgomery_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, @@ -512,77 +581,6 @@ BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mctx, BN_CTX *ctx) } LCRYPTO_ALIAS(BN_to_montgomery); -/* - * bn_montgomery_reduce() performs Montgomery reduction, reducing the input - * from its Montgomery form aR to a, returning the result in r. Note that the - * input is mutated in the process of performing the reduction, destroying its - * original value. - */ -static int -bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx) -{ - BIGNUM *n; - BN_ULONG *ap, *rp, n0, v, carry, mask; - int i, max, n_len; - - n = &mctx->N; - n_len = mctx->N.top; - - if (n_len == 0) { - BN_zero(r); - return 1; - } - - if (!bn_wexpand(r, n_len)) - return 0; - - /* - * Expand a to twice the length of the modulus, zero if necessary. - * XXX - make this a requirement of the caller. - */ - if ((max = 2 * n_len) < n_len) - return 0; - if (!bn_wexpand(a, max)) - return 0; - for (i = a->top; i < max; i++) - a->d[i] = 0; - - carry = 0; - n0 = mctx->n0[0]; - - /* Add multiples of the modulus, so that it becomes divisible by R. */ - for (i = 0; i < n_len; i++) { - v = bn_mul_add_words(&a->d[i], n->d, n_len, a->d[i] * n0); - bn_addw_addw(v, a->d[i + n_len], carry, &carry, - &a->d[i + n_len]); - } - - /* Divide by R (this is the equivalent of right shifting by n_len). */ - ap = &a->d[n_len]; - - /* - * The output is now in the range of [0, 2N). Attempt to reduce once by - * subtracting the modulus. If the reduction was necessary then the - * result is already in r, otherwise copy the value prior to reduction - * from the top half of a. - */ - mask = carry - bn_sub_words(r->d, ap, n->d, n_len); - - rp = r->d; - for (i = 0; i < n_len; i++) { - *rp = (*rp & ~mask) | (*ap & mask); - rp++; - ap++; - } - r->top = n_len; - - bn_correct_top(r); - - BN_set_negative(r, a->neg ^ n->neg); - - return 1; -} - int BN_from_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mctx, BN_CTX *ctx) {